Zero-Day Exploit Targets IE Flaws
Page 1 of 1
is mulling a plan to go outside of its monthly patching cycle to release a fix for two "extremely critical" vulnerabilities in its flagship Internet Explorer (IE) Web browser.
A Microsoft spokesman said the company was investigating public details of a malicious attack exploiting the IE flaws. "Microsoft is actively investigating these reports, to determine the appropriate course of action to protect our customers. This might include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs."
According to research firm Secunia, the holes can be exploited to open files on the local computer or to bypass IE security zones and execute malicious software in an Internet Zone with less restrictions.
News of the latest IE flaws have prompted heated discussions on security mailing lists and bulletin boards after a researcher released details of "zero day exploits" loading adware programs and browser toolbars on vulnerable machines.
The use of adware
In this instance, Microsoft warned that it was a "criminal offense" to intentionally use exploit code to cause damage. "[We will] work aggressively with law enforcement to help prosecute individuals or organizations who engage in these activities," the spokesman said.
As a temporary workaround, the company recommends that enterprise customers increase the security of the Local Machine Zone in Internet Explorer.
Secunia said a successful exploitation requires that a user can be tricked into following a link or view a malicious HTML document. IE users can disable Active Scripting support as a protection mechanism.